Jump to content
Tuts 4 You
Sign in to follow this  
Followers 0
wwh1004

A better way to dump .NET assembly packed by a native stub

By wwh1004, in Reverse Engineering Articles

Recommended Posts

wwh1004    44

wwh1004
Posted (edited)

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.:)

Best wish.

Edited by wwh1004 (see edit history)
  • Like 5
  • Thanks 1

Share this post

Link to post

Keosoft90    0

Keosoft90
Posted

@wwh1004 : can you add 2 tools to here ?

Share this post

Link to post

BlackHat    57

BlackHat
Posted

There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too.
But this method I tested and works well which you described.
Very nice Explanation too. Thank you !!! 

Share this post

Link to post

mdj    21

mdj
Posted (edited)

@wwh1004 please share video on other server i cannot download from pan.baidu

Edited by mdj (see edit history)

Share this post

Link to post

mdj    21

mdj
Posted

@kao:worthy: thank you very very much for this if you have time please upload second video 

Best Regards

Share this post

Link to post

john fast    0

john fast
Posted

@kao can you provide me assembly rebuilder?

Share this post

Link to post

john fast    0

john fast
Posted

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

Share this post

Link to post

Sangavi    21

Sangavi
Posted
2 hours ago, john fast said:

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

I believe they charge for giving out the invitation codes (it is not free of cost) as far as I remember.

Share this post

Link to post

john fast    0

john fast
Posted

Yes you are right.

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...